Much attention is now being directed towards to concept of Zero Trust. A quick search reveals no shortage of stories heralding it as the future of cyber security implementation, and no shortage of vendors offering associated solutions. So, what does it mean and why does it matter?
The term itself has its origins in a proposal from John Kindervag of Forrester back in 2010[1], advocating that we should abandon the notion of trusted and untrusted networks and instead view all network traffic as untrusted[i]. This is a significant step away from the traditional traditional view of security, which basically adopted a ‘castle and moat’ mentality and assumed that things within the walls were trustworthy. Of course, it doesn’t take much to realise that this model is both flawed and outdated in the context of modern systems. Firstly, itrather neglects the potential for problems that can arise internally (e.g.user identities may be compromised, or genuine users may act maliciously or irresponsibly). Secondly, and perhaps more particularly, it’s unrealistic to try to viewtoday’s organisationsas self-contained entities operating from a fixed premises. The data is off in the cloud and users are accessing from a range of devices and locations. In short, we don’t just have one castle to protect anymore.
The focus on Zero Trust has increased in the last 18 months as a result of NIST Special Publication 800-207 on “Zero Trust Architecture”[ii] and more recently the US Executive Order on Improving the Nation’s Cybersecurity, requiring that the Federal Government must adopt security best practices, which includes advancing toward Zero Trust Architecture[iii].
So, what are organisations advised to be doing about it? The bottom-line is not to trust resource (people or applications), which in turn means that no access should be granted until the network knows who the user is and whether they’re authorized. Moreover, everything trying to connect must be verified before granting access. In this way, it becomes a process of continuous verification rather than a set of one-off decisions. Of course, this is easy to say, but how can it be achieved in practice? Realising Zero Trust is about using appropriate technologies to achieve effective governance and secure the organisation. Such technologies can include (amongst other things) identity and access security, multifactor authentication, file system permissions, encryption, network segmentation, and next-generation firewalls. So, as should be apparent from the fact that these are all recognised names, Zero Trust is not necessarily about newtechnologies, but using known solutions in more effective and scalable way. In short, it’s the combination of technologies and the right mindset. Which leads to the question of how to ensure the mindset.
The use of an industry framework enables a maturity journey to recognize immediate security value, while continuing to extend protection faster and further in an organization’s IT environment. In a recent survey CrowdStrike conducted about 40% of respondents had chosen NIST 800-207 as their framework[iv]. The advantage is that it encompasses the intent of other frameworks (such as Forrester ZTX and Gartner CARTA) and has gone through a rigorous vetting process. As a result, it is now the de facto requirement for many public sector organizations.
The NIST standard itself centres around the following key technology concepts:
- Behavioural analysis of users and identities. This helps detect insider threats and when a legitimate credential is compromised by a malicious actor.
- Segmentation and least privileged access. The idea here is to limit the “blast radius” if a breach does occur.
- Automate context. To create more accurate ML and decisions, information from a wide range of data sources (and not just from the identity, workload, data, and network stack) is critical for minimizing the impact to security operations.
- Continuous verification. The idea of using something like a risk-based conditional access technology to challenge suspect activities and minimize the impact to IT, security, and end-user.
The value of using such a framework is that it ensures that enterprises do not rely on the technical standards or definitions set by a single vendor, and thus need to do less integration and updates as their technical or business needs change.
At the same time, just meeting a standard is not enough to ensure success in a real world implementation. If not done correctly, a Zero Trust stack can create significant overhead, especially if required to validate all trust relationships, all the time. Therefore, practical considerations must also come into play. Challenging users each time they need to access data would be impractical and would impact acceptability and productivity. As such, a risk based conditional access approach is advocated, which only interrupts the user workflow if risk of the user, endpoint, identity, or other factors change. This makes it easier for the user, and reduces false positives as well as the volume of calls to related support teams.
[i] Kindervag, J. 2010. No More ChewyCenters: Introducing The Zero Trust Model Of Information Security, Forrester, 14 September 2010.
[ii] Rose, S., Borchert, O., Mitchell, S. and Connelly, S. 2020. Zero Trust Architecture. NIST Special Publication 800-207. National Institute of Standards and Technology, August 2020. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
[iii] White House. 2021. Executive Order on Improving the Nation’s Cybersecurity, 12 May 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[iv] CrowdStrike. 2021. Accelerate Your Zero Trust Security Journey. https://www.crowdstrike.com/wp-content/uploads/2021/09/accelerate-your-zero-trust-security-journey-infograph.pdf